GRC Manager

Pillsbury Winthrop Shaw Pittman LLP•Nashville, TN

About The Position

The GRC Manager is responsible for day-to-day execution of Pillsbury’s Governance, Risk & Compliance (GRC) program, ensuring the firm maintains strong operational performance across ISO 27001, CMMC Level 2, vendor risk management, business continuity documentation, internal audit readiness, policy governance, and security awareness functions. The GRC Manager translates strategic direction into actionable workflows, coordinates cross-functional teams, supports evidence lifecycle management, leads readiness activities, and ensures all GRC processes operate smoothly and efficiently. This role requires strong coordination, documentation, audit, and control-testing capabilities paired with working technical fluency to understand control implications without performing system administration.

Requirements

5 -10+ years of experience in cybersecurity governance, risk, compliance, audit, or related disciplines.
Strong experience with IT controls, internal audit, risk assessments, or compliance operations.
Working technical fluency - able to understand control expectations, architectural impacts, and technical evidence.
Demonstrated ability to coordinate assessments or audits and lead multi-stakeholder compliance processes.
Excellent documentation, writing, and organizational skills with attention to detail.
Experience with GRC platforms (e.g., Archer, ServiceNow GRC, OneTrust, FutureFeed).
Strong interpersonal skills and experience collaborating across business, IT, and security teams.
Operational leadership and coordination
Strong written and verbal communication
Analytical problem-solving
Professional judgment and discretion
Ability to manage multiple workflows simultaneously
High-quality documentation and reporting discipline
Ability to sit and stand for extended periods.
Ability to lift up to 20 pounds.

Nice To Haves

Certifications such as CISA, CISM, ISO 27001 Lead Implementer/Lead Auditor, CGRC (CAP), CCAK, or CMMC-related credentials.
Experience supporting or leading ISO 27001 or CMMC compliance efforts.
Familiarity with process maturity models such as CMMI.
Prior experience supervising or mentoring analysts, associates, cross-functional team members in a compliance, audit, or risk-management setting.

Responsibilities

Lead day-to-day execution of ISO 27001 and CMMC Level 2 programs, ensuring alignment with regulatory and framework requirements.
Translate strategy from the GRC Director into operational plans, workflows, and coordinated activities across departments.
Oversee evidence lifecycle management, ensuring accuracy, completeness, and readiness for assessments.
Manage recurring readiness cycles, status tracking, remediation follow-up, and program documentation.
Coordinate closely with IT and Security SMEs to validate controls conceptually, assess alignment, and ensure proper documentation.
Serve as the primary operational point of contact for external auditors, assessors, and C3PAOs.
Lead audit planning, evidence packaging, SME coordination, and communication throughout assessment cycles.
Track findings, corrective actions, and remediation progress, ensuring issues are resolved on schedule.
Maintain audit documentation repositories and ensure audit materials remain continuously ready.
Oversee the full lifecycle of policies, standards, and procedures, including drafting, reviewing, updating, and publishing governance documents.
Ensure governance documents (including the SSP, POA&M, SoA, risk registers, and operational procedures) are current, consistent, and high quality.
Maintain comprehensive version control and documentation structures across all GRC-managed artifacts.
Lead operational ownership of the firm’s risk register, including risk identification, scoring, tracking, and reporting.
Support annual and ongoing risk assessments and help drive risk-based decisions and improvements.
Co-lead risk committee or GRC steering activities with the Director and ensure preparation of materials.
Oversee intake and assessment of third-party vendors, coordinating review of security documentation, questionnaires, and remediation efforts.
Work with Procurement, Legal, IT, and the GRC Director to ensure consistent vendor oversight processes.
Manage updates to business continuity and disaster recovery documentation, including BIAs, plan revisions, team rosters, and dependencies.
Coordinate documentation, reporting, and follow-up from continuity exercises, DR tests, and tabletop sessions.
Maintain continuity evidence in support of compliance audits and regulatory assessments.
Oversee rollout of cybersecurity awareness campaigns and required annual trainings.
Monitor participation, ensure compliance, and support content preparation aligned with firm and regulatory requirements.
Lead readiness meetings, documentation reviews, action-item tracking, and other recurring GRC operational sessions.
Coordinate and supervise third-party consultants, advisors, and GRC service providers as needed.
Serve as the operational escalation point for compliance risks, elevating issues to the GRC Director as appropriate.
Provide backup support for client security questionnaires or reviews when delegated by the GRC Director.